#!/bin/sh /etc/rc.common

START=99
STOP=15
USE_PROCD=1

NAME=udp2raw

_log() {
	logger -p "daemon.$1" -t "$NAME" "$2"
}

has_valid_server() {
	local server
	for server in $@; do
		[ "$(uci_get $NAME $server)" = "servers" ] && return 0
	done
	return 1
}

add_ipt_rule() {
	if [ -z "$ipt_cmd" ]; then
		command -v iptables >/dev/null 2>&1 || return 1
		ipt_cmd='iptables'
		[ -n "$(iptables -h 2>/dev/null | grep -e '--wait')" ] && ipt_cmd="$ipt_cmd --wait"
		echo "# firewall include file" >"/var/etc/$NAME.include"
	else
		echo "$ipt_cmd" | grep -q -e '--wait'
		[ $? -ne 0 ] && sleep 2
	fi

	$ipt_cmd -I INPUT -s "$server_addr"/32 -p tcp -m tcp --sport "$server_port" -m comment --comment "${NAME}DwrW" -j DROP
}

flush_ipt_rules() {
	iptables-save -c | grep -v "${NAME}DwrW" | iptables-restore -c
	[ -f "/var/etc/$NAME.include" ] && rm -f "/var/etc/$NAME.include"
}

export_ipt_rules() {
	[ -f "/var/etc/$NAME.include" ] || return
	cat <<-CAT >>"/var/etc/$NAME.include"
		iptables-save -c | grep -v "${NAME}DwrW" | iptables-restore -c
		iptables-restore -n <<-EOF
		$(iptables-save -t filter | grep -E "${NAME}DwrW|^\*|^COMMIT" | sed 's/^-A /-I /')
		EOF
	CAT
}

create_config() {
	local config_file="$1"
	echo "# auto-generated config file from /etc/config/udp2raw" >$config_file

	echo "-c" >>$config_file
	echo "-l ${listen_addr}:${listen_port}" >>$config_file && _log "info" "listening on: ${listen_addr}:${listen_port}"
	echo "-r ${server_addr}:${server_port}" >>$config_file

	[ -n "$raw_mode" ] && echo "--raw-mode ${raw_mode}" >>$config_file && _log "info" "raw-mode: ${raw_mode}"
	[ -n "$key" ] && echo "--key ${key}" >>$config_file
	[ -n "$cipher_mode" ] && echo "--cipher-mode ${cipher_mode}" >>$config_file
	[ -n "$auth_mode" ] && echo "--auth-mode ${auth_mode}" >>$config_file

	[ $auto_rule -eq 1 ] && [ $keep_rule -eq 1 ] && echo "--auto-rule" >>$config_file
	[ $auto_rule -eq 1 ] && [ $keep_rule -eq 1 ] && echo "--keep-rule" >>$config_file

	[ -n "$seq_mode" ] && echo "--seq-mode ${seq_mode}" >>$config_file
	[ -n "$lower_level" ] && echo "--lower-level ${lower_level}" >>$config_file
	[ -n "$source_ip" ] && echo "--source-ip ${source_ip}" >>$config_file
	[ -n "$source_port" ] && echo "--source-port ${source_port}" >>$config_file
	echo "--retry-on-error" >>$config_file

	[ -n "$log_level" ] && echo "--log-level ${log_level}" >>$config_file
	echo "--disable-color" >>$config_file
}

validate_config_section() {
	uci_validate_section "$NAME" general "$1" \
		'server:uciname' \
		'daemon_user:string:root'
}

validate_server_section() {
	uci_validate_section "$NAME" servers "$1" \
		'server_addr:host' \
		'server_port:port:8080' \
		'listen_addr:ipaddr:0.0.0.0' \
		'listen_port:port:2080' \
		'raw_mode:or("faketcp", "udp", "icmp", "easy-faketcp"):faketcp' \
		'key:string' \
		'cipher_mode:or("aes128cbc", "xor", "none"):aes128cbc' \
		'auth_mode:or("md5", "crc32", "simple", "none"):md5' \
		'auto_rule:bool:0' \
		'keep_rule:bool:0' \
		'seq_mode:range(0,4)' \
		'lower_level:string' \
		'source_ip:ipaddr' \
		'source_port:port' \
		'log_level:range(0,6)'
}

start_instance() {
	local server="$1"

	if [ -z "$server" ] || [ "$server" = "nil" ]; then
		return 0
	elif ! validate_server_section "$server"; then
		_log "err" "Server config validation failed."
		return 1
	fi

	# 服务器地址必须是域名或者ip地址
	/sbin/validate_data "hostname" "$server_addr" >/dev/null 2>&1 || {
		_log "err" "Server address validation failed."
		return 1
	}

	# 若服务器地址为ip地址，则无需处理
	# 若服务器地址为域名，尝试进行域名解析，获取ip地址
	/sbin/validate_data "ipaddr" "$server_addr" >/dev/null 2>&1 || {
		local server_hostname="$server_addr"
		local retry_count
		for retry_count in $(seq 1 3); do
			server_addr=$(nslookup "$server_hostname" | sed -n 's/^Address[[:space:]]*[0-9]*:[[:space:]]*\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\)$/\1/p')
			/sbin/validate_data "ipaddr" "$server_addr" >/dev/null 2>&1 && break
			sleep 1
		done
		# 域名无法解析，报错退出
		/sbin/validate_data "ipaddr" "$server_addr" >/dev/null 2>&1 || {
			_log "err" "Server address validation failed."
			_log "err" "Host name $server_hostname can not be resolved."
			mkdir -p /var/run
			touch "/var/run/udp2raw.hostname_not_resolved.err"
			return 1
		}
	}

	rm -f "/var/run/udp2raw.hostname_not_resolved.err"

	[ -d /var/etc ] || mkdir -p /var/etc
	local config_file="/var/etc/${NAME}.${server}.conf"
	create_config "$config_file" || return 1

	if [ $auto_rule -eq 1 ] && [ $keep_rule -ne 1 ]; then
		add_ipt_rule || {
			_log "err" "added iptables rule failed."
			return 1
		}
	fi

	procd_open_instance
	procd_set_param limits nofile="65535 65535"
	[ -e /proc/sys/kernel/core_pattern ] && {
		procd_append_param limits core="unlimited"
	}

	procd_set_param command /usr/bin/udp2raw
	procd_append_param command --conf-file "$config_file"
	procd_set_param respawn
	procd_set_param file "$config_file"
	[ -n "$daemon_user" ] && procd_set_param user "$daemon_user" && _log "info" "running from ${daemon_user} user"
	procd_set_param pidfile "/var/run/${NAME}.${server}.pid"
	procd_close_instance
}

start_service() {
	if ! validate_config_section "general"; then
		_log "err" "Config validate failed."
		return 1
	fi
	has_valid_server $server || return 1
	flush_ipt_rules
	for srv in $server; do
		start_instance $srv
	done
	export_ipt_rules
}

stop_service() {
	flush_ipt_rules
}

reload_service() {
	restart
}

service_triggers() {
	procd_add_reload_trigger "$NAME"
}
